On September 7, Fortress Trust disclosed that several customers had been "impacted by a third-party vendor" compromise. On September 8, Fortress Trust announced they had been acquired by Ripple. On September 11, The Block reported that Ripple had covered undisclosed losses to customers as a part of the acquisition deal. The losses were later disclosed to be around $15 million, and the third-party vendor was said to be a company called Retool, who blamed the compromise on a social engineering attack against one of their employees.
Fortress Trust hit by "security incident", bailed out by Ripple
Fortress Trust is a crypto custody and blockchain infrastructure company, founded by Scott Purcell. Purcell is also known for founding Prime Trust, which later lost over $75 million in customer funds, squandered another $8 million gambling on Terra/Luna just before its collapse, and then filed for bankruptcy in August 2023. Purcell is also embroiled in a lawsuit from former company Banq, now also bankrupt, which alleges he stole trade secrets and other valuable material to start Fortress.
- Tweet thread by Fortress Trust [archive]
- "Ripple Acquires Crypto-Focused Chartered Trust Company Fortress Trust", CoinDesk [archive]
- "Ripple made Fortress customers hit by security incident whole as part of acquisition", The Block [archive]
- "Episode 125 – How to Steal Almost $100 Million: Prime Trust goes Bust", Crypto Critics' Corner [archive]
Paxos pays $500,000 fee to send $1,865
A wallet on the Bitcoin blockchain paid a 19.82 BTC ($499,171) fee to transfer 0.074 BTC ($1,865). Put another way, they spent 270x the transaction value to pay the fee. Bitcoin transaction fees are required to make any action on the Bitcoin blockchain, and people can opt to pay higher fees to incentivize their transactions being processed sooner. 19.82 BTC is far outside the realm of someone just hoping to get a speedy transaction, however — the next-highest transaction fee in that block was 0.006 BTC ($159.20).
Bitcoiner Jameson Lopp speculated that the transaction "looks like an exchange or payment processor with buggy software" based on its transaction history. "The address in question that made the fee calculation error has the characteristics of a withdraw-only hot wallet from an enterprise," he wrote.
His observations were well-founded, as it later came out that the wallet belonged to the Paxos blockchain company, who attributed the overpayment to a bug. Luckily for Paxos, the miner who snapped up the outsized fee agreed to refund it.
- Bitcoin transaction on Blockchain.com explorer [archive]
- Tweet thread by Jameson Lopp [archive]
Vitalik Buterin's Twitter account hacked to promote crypto scam
The Twitter account belonging to Vitalik Buterin, inventor and effective leader of the Ethereum project, was hacked to promote a crypto scam. A tweet posted to his compromised account advertised a "commemorative NFT" to celebrate the impending release of "proto-danksharding", which is the actual name for an upcoming change to the Ethereum protocol.
However, the link was a scam, and anyone who connected their wallet risked having their wallet drained of its cryptocurrency and NFTs. Some blue-chip NFTs were stolen, including two CryptoPunks (a collection with a floor price of around 47 ETH, or $76,800). Altogether, stolen assets surpassed $650,000 in value within a few hours of the theft according to zachxbt, though this counts notoriously difficult-to-value NFTs.
The tweet was taken down within twenty minutes of being posted. All in all, posting a link to a wallet drainer was probably among the least effective things the attacker could do with the Twitter account of a person whose word can dramatically move markets.
It did seem to be something of a stark warning to some in the crypto world, however, who expressed sentiments along the lines of "if Vitalik can get hacked, anyone can."
NFT startup Glass shuts down a year after raising $5 million
The NFT startup Glass was operating under the assumption that YouTubers and others who post video content for fans online might want to mint those videos as NFTs, which their fans could then buy. Unfortunately for them, they have since "come to the conclusion that there is not sustainable demand for video NFTs".
In September 2022, the startup managed to raise $5 million from investors including TCG Crypto and 1kx. Either that money's run out, or they're cutting their losses early.
Founder of the Thodex crypto exchange sentenced to 11,196 years in prison
As of writing, the April 2021 $2 billion Thodex exit scam is the second largest exit scam recorded in the Web3 is Going Great leaderboard. Thodex was one of the largest crypto exchanges in Turkey, until its CEO, Faruk Fatih Özer, disappeared along with $2 billion in customer funds.
He was arrested in August 2022 after a year on the run. Now, he and his brother and sister have all been sentenced to 11,196 years in prison – sentences so over the top that one has to wonder if perhaps Turkish prosecutors are worried the Özers are some kind of crypto-focused vampire crime family. They will also pay a 135 million lira fine (~$5 million).
CFTC goes after three defi projects
The CFTC has announced charges and settlements against defi projects Opyn, ZeroEx, and Deidex for various commodities law violations. The projects will pay $250,000, $200,000, and $100,000, respectively, to settle the charges. They have also agreed to cease and desist the activities.
The CTFC stated: "Somewhere along the way, DeFi operators got the idea that unlawful transactions become lawful when facilitated by smart contracts. They do not."
Fourth FTX exec pleads guilty, agrees to forfeit $1.5 billion
Former CEO of FTX's Bahamian entity, Ryan Salame, has pleaded guilty to two criminal charges in the ongoing case against FTX and founder Sam Bankman-Fried. Salame (pronounced "Salem") is the fourth exec to plead guilty, following pleas from Caroline Ellison and Gary Wang in December 2022, and another from Nishad Singh in February 2023.
As part of the deal, Salame has agreed to forfeit $1.5 billion. He will also pay $5.6 million restitution to FTX debtors and $6 million to the U.S. government, and will forfeit two homes in the Berkshires and a 2021 Porsche 911. According to the New York Times, he is not cooperating with the investigation.
Salame's sentencing is scheduled for March 2024.
Victim loses around $24 million in phishing scam
A crypto phisher hit it big today when they lured in a victim with a massive wallet balance. The victim wallet was drained of 4,851 rETH and 9,579 stETH, both wrapped versions of ETH used for staking. Altogether, the tokens are priced at around $24 million.
The wallet address used by the phisher has been associated with multiple crypto phishing websites which attempt to convince users to authorize transactions, often by impersonating known crypto projects or promising token airdrops.
High-profile streamers bail on MrBeast-promoted Creator League after learning there are blockchains involved
A group of high-profile streamers and social media influencers agreed to join eFuse's "Creator League", where they would lead community e-sports teams. The project was announced on September 2, and was promoted by mega-influencer MrBeast. Only days later, the project has been put on hold after some of those influencers balked once they learned blockchains were involved.
YouTuber CDawgVA publicly withdrew from the project on September 3, writing, "I was not told or made aware at any point that there was Blockchain technology and was only made aware of that information when the event went live. I was given assurances that it had nothing to do with NFT's. Given my vocal hatred of such tech, I would never agree to join had I known that."
The creator of the OTK Network, which had agreed to participate in the League, wrote: "We were told there was no NFT/crypto component but looks like that may not be the case."
Creator League issued a statement attempting to downplay its blockchain usage, emphasizing that people who purchased "Creator Passes" were not buying cryptocurrency or NFTs. "The Creator League is not an NFT project and we have never sold tokens," they insisted. "Those buyers who remain uncomfortable with the blockchain technology can request a refund," they continued.
Now, Creator League has been postponed. eFuse, the company behind it, has also just announced a 30% layoff amid company restructuring.
Stolen LastPass vaults possibly cracked to enable crypto thefts
In November 2022, popular password management tool LastPass disclosed that hackers had stolen "password vaults" containing data belonging to more than 25 million users. Although the vaults themselves are encrypted, some experts now believe that these vaults are being cracked to enable access to crypto credentials stored within.
A report by cybersecurity expert Brian Krebs outlines how various experts have come to this conclusion after analyzing a long string of crypto thefts perpetrated against people with otherwise strong security practices. Altogether, the thefts suspected to have been enabled by the LastPass breach amount to more than $35 million.
- "Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach", Krebs on Security [archive]